1. Field of the Invention
The present invention relates to apparatus and method for improving the security of authentication procedures using a new “Super PIN”, particularly for protecting credit card and other purchase transactions.
2. Related Art
Authentication of users and systems began with the signature or seal. These methods are not very secure and principally rely on legal protections such as laws against forgery to ensure their effectiveness. The signature or seal has been mostly replaced by the use of secret passwords and Personal Identification Numbers (PINs) to authenticate users of systems and has been common practice for a number of years. These authentication systems have proven themselves and are widely used to authenticate people for systems ranging from computers to credit cards and telephone cards. It is also used for automated authentication of systems such as cellular telephones. The security of these systems is limited by the vulnerability of the system to the compromise of the password or PIN. But, it has an advantage over an ordinary signature in that it can be automatically processed. The standard solution to this problem has been to move to a much more complicated system relying on smart cards to provide encryption or challenge/response security for authentication. This solution, while very effective, is also quite expensive to deploy on a large scale. Individual cards must be issued and an infrastructure to process them.
Transaction security systems usually consist of a Unique Identifier that is used as a reference for the individual involved in a transaction (such as a credit card account number). This identifier is used to indicate the individual involved in the transaction. The most commonly used security solution is to augment the identifier is a Personal Identification Number (PIN). This Secret Identifier is entered into ATM machines or phones for transactions. The problem with this solution for many transactions is that the Secret Identifier may be disclosed—“shoulder surfing” is a major problem for phone cards. Without the use of a Secret Identifier, a Unique Identifier is not sufficient because it is widely distributed.
The next level of solution that has been proposed is to use a smart card to store or process Secret Identifier information so that it is only available to the issuer of the card or the card itself. The problem with this approach is that, while it is very secure, it is also expensive. Additional processing capability is required at the location of each transaction and someone must pay for the smart card, itself.